Metasploit vSploit Modules

1

Marcus J. Carey

David “bannedit” Rude

Will Vandevanter

Outline

• Objective of vSploit Modules

• Metasploit Framework architecture

• What are Metasploit modules?

• vSploit modules

• vSploit and Intrusion Kill Chains• vSploit and Intrusion Kill Chains

• Writing Metasploit Modules

• Live Demo

2

• Metasploit Project founded in 2003

• Open Source penetration testing platform based with over

1 million downloads in the past year

• Acquired by Rapid7 in 2009

• HD Moore joined Rapid7 as Chief Security Office and Chief

Metasploit overview

• HD Moore joined Rapid7 as Chief Security Office and Chief

Architect of Metasploit

• Rapid7 remains committed to the Community

• Metasploit Framework is the foundation for the

commercial editions Metasploit Express and Metasploit

Pro

3

LIBRARIES INTERFACES

Rex

MSF Core

Console

CLI

TOOLS

Metasploit Framework Architecture

MODULES

MSF Core

MSF Base

Payload Encoder NOP Auxiliary

PLUGINS RPC

Exploit

GUI &Armitage

4

LIBRARIES INTERFACES

Rex

MSF Core

Console

CLI

TOOLS

Metasploit Framework Architecture

MODULES

MSF Core

MSF Base

Payload Encoder NOP Auxiliary

PLUGINS RPC

Exploit

GUI &Armitage

5

What are Metasploit Modules?

• More than just exploits

• Payloads – the “arbitrary code” you hear about in

advisories

• Encoders – add entropy to payloads, remove bad

characters

• NOP – create sophisticated nopsleds

• Auxiliary – Like an exploit module but without a payload

– Underappreciated

6

Which would you pick for a training drill?

Live Ammo? Or Paint Balls?

7

= Live Exploits = vSploit Modules

Introducing: vSploit Modules

• New spin on auxiliary modules

– Focus on attack response emulation

– Not intended for exploitation

– Continues with Metasploit roots as security testing and validation

framework

– Allows organizations to understand their current security – Allows organizations to understand their current security

investment

• Stand-alone compatibility

– No exploitation used

– Possible to remove exploit modules if necessary in some

environments

8

• Evaluate devices on their own merit

• Minimal traffic evasion

• Trigger alerts on purpose

• Ensure proper network device placement

• Test and train security staff

vSploit: Purpose

• Test and train security staff

• Test security architecture without exploits

9

• Many network based security offering monitor network

traffic for behavior

• Many devices are signature based

• Need to be placed on network properly to see interesting

traffic

vSploit: Interesting Traffic

• Good test cases are hard to emulate

10

• IDS

• IPS

• DLP

• Firewalls

• Network Intelligence Devices

vSploit: Network Traffic Device

• Network Intelligence Devices

11

• ESIM

• Netflow collectors

• Other Log correlation devices (ie. Splunk)

• Network-based vulnerability analysis devices

Security Monitoring

12

• Signature-based

• Looks for known suspicious traffic

• SQL injections

• Attack responses

• Alert on suspicious behavior

IDS/IPS

• Alert on suspicious behavior

13

• Similar to IDS

• Concerned with data leakage

• Personally Identifiable Information (PII)

– Social security numbers

– Payment information

Data Loss Prevention (Network Based)

• Protected Health Information (PHI)

– Medical records

• PCI-related data

– Credit card numbers

14

• Collects system logs

• Significant capital investment

• Provides correlation

• Provides reporting

• Key to most security operations efforts

Enterprise Security Information Management (ESIM)

• Key to most security operations efforts

15

Network

vSploit: Interesting Traffic

Client Sends Request for Interesting Traffic and Designated Port

Network Traffic

AnalysisDevice

Client

MSF #1 Sends Signature Matching String

MSF

vSploit: Simulating Malicious DNS Queries

MSF

DNS Server

Metasploit sends out DNS Query to Internal DNS, i.e.. Domain Controller

foo.rufoo.cnfoo.kp

ESIM

Logs

Intrusion Kill Chains

Intrusion Kill Chains

19

Phase Detect Deny Disrupt Degrade Deceive Destroy

Reconnaissance Web Analytics Firewall ACL

Weaponization NIDS NIPS

Delivery Vigilant user Proxy Filter In-line AV Queuing

Exploitation HIDS Patch DEP

Kill Chain – Course of Action Matrix

Installation HIDS *chroot* jail AV

C2 NIDS Firewall ACL NIPS Tarpit DNS redirect

Actions on Objectives

Audit log Quality of Service

Honeypot

20

Source: Hutchins, Cloppert, Amin – Lockheed Martin

Phase Detect Deny Disrupt Degrade Deceive Destroy

Reconnaissance Web Analytics Firewall ACL

Weaponization NIDS NIPS

Delivery Vigilant user Proxy Filter In-line AV Queuing

Exploitation HIDS Patch DEP

vSploit Testing Detection Capabilities

Installation HIDS *chroot* jail AV

C2 NIDS Firewall ACL NIPS Tarpit DNS redirect

Actions on Objectives

Audit log Quality of Service

Honeypot

21

Source: Hutchins, Cloppert, Amin – Lockheed Martin

Phase Detect Deny Disrupt Degrade Deceive Destroy

Reconnaissance Web Analytics Firewall ACL

Weaponization NIDS NIPS

Delivery Vigilant user Proxy Filter In-line AV Queuing

Exploitation HIDS Patch DEP

vSploit Testing Detection Capabilities

Installation HIDS *chroot* jail AV

C2 NIDS Firewall ACL NIPS Tarpit DNS redirect

Actions on Objectives

Audit log Quality of Service

Honeypot

22

Source: Hutchins, Cloppert, Amin – Lockheed MartinUnable to perform tests in red.

vSploit Modules Screen Shots

vSploit: Web PII Module - Configuration

vSploit Web PII Module - In Action

vSploit: HTTP File Download Server

vSploit Web Beaconing - Configuration

vSploit: Web Beaconing – In Action

vSploit: DNS Beaconing – Wireshark Analysis

vSploit: Vulnerable Headers

30

vSploit: Vulnerable Headers PCAP

31

Writing Metasploit Modules

• http://pine.fm/LearnToProgram/

• The Little Book of Ruby

• Humble Little Book of Ruby

• Metasploit Repository Documentation

http://r-7.co/iNmOBt

Where to Learn Ruby

http://r-7.co/iNmOBt

33

Auxiliary Module Basics

34

Auxiliary Module: Code can be simple

35

Using IRB in Metasploit

36

Exploit Written in Python

37

Same Exploit in Metasploit

38

Where to put it…

• Official modules live in msf3/modules/– Subdirectories organized by module type (exploit/,

auxiliary/, post/, … )

• ~/.msf3/modules/ has same structure, loaded at

startup if it exists

• ~/.msf3/modules/auxiliary/vsploit is a the • ~/.msf3/modules/auxiliary/vsploit is a the

location for vSploit modules

39

Quick demos

• vSploit documentation in Rapid7 Community

– https://community.rapid7.com

vSploit Documentation

Questions?

@iFail

mjc@rapid7.com

Marcus J. Carey

@msfbannedit

bannedit@metasploit.com

David “bannedit” Rude

@willis__ <- two underscores

will@rapid7.com

Will Vandevanter